1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Windows 2003 NTFS permissions

Discussion in 'Windows Server System' started by MichaelF, 2011/11/18.

  1. 2011/11/18
    MichaelF

    MichaelF Inactive Thread Starter

    Joined:
    2009/07/01
    Messages:
    49
    Likes Received:
    0
    Hello everyone!

    A couple of days ago I ran into a very strange issue with NTFS permissions on Windows Server 2003. I'm sure any operating system should not have problems of this kind but the results of my tests are quite disappointing. Should you have an opportunity to repeate my tests, I'll be very happy to know what your results are.


    Here are my tests:

    On my Win2008R2 Domain Controller I create a user 'vpnuser', change its Primary Group to some other group (say, 'ZeroDG') that does not have any permissions on any servers, add 'vpnuser' to "ZeroDG' and remove it from 'Domain users'. The goal of this to have a user account ('vpnuser') that does not inherit permissions of the 'Domain Users' group.

    My task is to grant a user ('vpnuser') access to a SUBfolder of any shared folder only.

    Concider this example:

    \\server1\Test\Docs\

    I need to grant a user 'vpnuser' ntfs permissions (for example, 'Read') on the folder 'Docs' only, 'vpnuser' should not have any access to the 'Test' folder. So the list of ntfs permissions is as follows:

    \\server1\Test\ = Administrators/FullControl, System/FullControl

    \\server1\Test\Docs\ = Administrators/FullControl, System/FullControl, VpnUser/Read


    Share permission for \\server1\Test = Everyone/FullControll


    The only way for 'vpnuser' to open 'Docs' folder is to type the whole path '\\server1\Test \Docs\' in the 'Start'-'Run' box.
    If this user tries to open folder "Test' (by typing \\server1\Test or in 'Network') he shoud get 'Access denied' error because \\server1\Test does not have any ntfs permissions neither for Domain Users group nor for 'vpnuser' user account.


    Test 1, run on Windows Server 2008 R2:

    I create \\server1\Test\Docs\ with permissions set as described above, try to open \\server1\Test\ as 'vpnuser' and get 'Access Denied' message. Then I successfully open \\server1\Test\Docs\.

    Test results are exactly as expected.


    Test 2, run on Windows Server 2003 R2:

    I create \\server2\Test\Docs\ with permissions set as described above, try to open \\server2\Test\ as 'vpnuser' and 'Test' folder window appears. Then I successfully open \\server2\Test\Docs\.

    In this test 'Vpnuser' was able to open \\server2\Test folder although it didn't have ANY ntfs permissions on it. Moreover, 'Effective permissions' tab of 'Security' window of 'Test' folder shows several permissions (Read, Execute...) for 'vpnuser' while the main 'Security' window still shows 'Administrators' and 'System' only!

    ???


    Thank you in advance,
    Michael
     
    Last edited: 2011/11/18
    MichaelF,
    #1

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...